Data Security and GDPR

The General Data Protectionism Regulation coming into force on May 25th this year has important implications for data security.

You can break down the relevance of GDPR to data security:

• Firstly, by defining what we mean by personal data and a data breach. GDPR also defines the types on individuals who would be authorised to process the personal data: the data controller and processor, who would be supervised by the controller.

• Secondly, by looking at what procedures GDPR requires a company to implement in order to provide data security.

• Thirdly to look at the procedures a company must follow in the event of a breach informing authorities.

A data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Procedures to safeguard data

Article 32 of GDPR relates to this area. There are a number of key elements to this Article. It does not require companies to have in place a procedure that is 100 per cent safe from a possible breach, rather it requires a level of security that is appropriate to the risk given the costs of implementation.

In full, it states: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.”

It then requires:

• The pseudonymisation and encryption of personal data;

• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The Article continues that appropriate security needs to take into account the risks associated with processing data, states that adherence to a code of conduct or an approved certification can be used as evidence that demonstrates compliance and finally that any person who is neither the data controller or processor and who has access to the data does not process it except on the instructions of the controller.

Procedures in the event of a breach, notifying authorities

GDPR states that the data controller must “without undue delay and, where feasible, not later than 72 hours after having become aware of it,” notify supervisory authority where the data controller has their main establishment.

The notification must describe the nature of the breach, contact details of the data controller, describe the likely consequences and outline how the controller plans to address the breach.

Responsibility of individuals

When a data processor becomes aware of a breach, they must notify the data controller, but it is the controller’s responsibility to notify authorities.

Exception

It is not necessary for the data controller to notify authorities if “the personal data breach is unlikely to result in a risk for the rights and freedoms of a natural person.”

Notification of data subjects

If the data controller believes that the data breach “is likely to result in a high risk to the rights and freedoms of individuals” they must inform the data subjects.

It is not necessary to notify data subjects if:

• The data was rendered “unintelligible to any person who is not authorised to access it, such as encryption.”

• If action is taken post breach to ensure “that the high risk for the rights and freedoms of data subjects.”

• When notification to a data subject involves “disproportionate effort.”